Control who connects to your servers

Use only individual accounts and never share passwords

User accounts and their corresponding unique passwords need to remain strictly confidential to guarantee security. Shared accounts carry a risk of diluting responsibility as it makes it very difficult to allocate operations performed by that account to an individual.
 
Assigning accounts to single individuals, i.e. not using (shared) generic accounts creates user accountability. One user can have several accounts for several levels of access, but each of these accounts is strictly personal.
 

No one works with administrator privileges for daily office tasks

To carry out daily tasks, users need certain access rights to the company's data, and potentially to some internet sites. However, they should not be able to modify the technical set-up of their workstation (or have it modified), or to install dubious software.
 
Giving users administrator rights increases the risk of harm. Users are then able, even without knowing it, to perform sensitive operations such as increasing privileges, collecting information etc.
 
If certain people occasionally need an administrator account, create a second user account for them. They can then use their user account for standard work, and when they need to install or modify something, they connect to their admin account for the duration of the intervention.
 

Change all default passwords, create unique local administrator passwords and disable unused accounts

Many connected devices and some software have default passwords that do not always have to be changed when they are first used. Disable the default administrator accounts or assign a unique and random passphrase to avoid propagation using shared local administrator accounts.
 
The default passwords are a security loophole that is very easy to exploit because they are widely known and easy to use. There are databases out there with lists of these accounts and passwords!
 
Disable these default (administrator) accounts or assign passphrases that are random and unique for each.
 

Enforce authentication and password rules

By imposing the use of specific rules, as opposed to free choice, you ensure that the rules are adopted uniformly. Any deviation, deliberate or not, is rendered technically impossible.

If the rules concerning the complexity, renewal etc. of passwords are not made obligatory (but only 'recommended'), certain users will not apply them for reasons of ease or habit.